Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 305 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 260 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Employee Portal Vulnerability
SteveO
Member Posts: 164
Hello to everyone,
Just thought I'd let you all in on a recent discovery I made with regards to Employee Portal.
When the webparts are writing out data from Navision they process html tags, and do not write them out as plain text. This unfortunately could allow malicious scripts to be run.
eg. If someone enters
in the customer name in the customer card webpart then the Customer List will show Some Name formatted with the h1 tags.
How does this get reported to Microsoft so that it can be corrected?
Just thought I'd let you all in on a recent discovery I made with regards to Employee Portal.
When the webparts are writing out data from Navision they process html tags, and do not write them out as plain text. This unfortunately could allow malicious scripts to be run.
eg. If someone enters
<h1>Some Name</h1>
in the customer name in the customer card webpart then the Customer List will show Some Name formatted with the h1 tags.
How does this get reported to Microsoft so that it can be corrected?
This isn't a signature, I type this at the bottom of every message
0
Comments
MVP - Dynamics NAV
My BLOG
NAVERTICA a.s.